Running your Homelab behind pfSense

The Homelab is up and running but you have a single IP and want to run all the things, this might help. 

Leveraging HAProxy on pfSense we can drive traffic to specified servers with the single external IP and all SSL is handled by the target server.

Assumptions:

- Router has a DMZ configured and this has your WAN pfSense listed
- Subdomain A record created for target domain

Ok lets get it running, seen as we have an SSL cert to hand we can bind that to https on our target server

- Log in to pfSense and head to system > package manager
- Hopeful you have already installed Open-VM-Tools for performance
   -Search for HAProxy and click install > confirm

- You should now have HAProxy under the services menu
- Lets get a backend setup first

- Add and give it a name
- Add IP and port for this backend server
- Leave everything else as default with the exception of Health Check set this to basic
- Save

- Add a front end
- Give it a name and external details set type to SSL / https

- Set Expression Server Name Indication TLS extension ends with:
- Value - target subdomain

 

- Action use backend (currently only one configured)
- Here you could have multiple sub domains as backends and redirect them as required

- Save
- Apply changes

lastly go to HAProxy settings and enable the service, you will need to specify a maximum number of connections.

- At this point you should be able to run an SSL checker externally and see your valid chain returned 
- If external checks are failing check 443 is allowed on the pfSense firewall as it is blocked by default.

This article was updated on February 5, 2021